Five Key Privacy Principles

Reprinted from Privacy For Business: Web Sites and Email, published by Dreva Hill LLC, all rights reserved..

Fair Information Practice Principles

Basic data privacy principles were being discussed long before the commercialization of the Internet. In 1998, the U.S. Federal Trade Commission reiterated these principles in the context of the Internet when it produced, at the request of the legislative branch, a document called "Privacy Online: A Report to Congress." The report began by observing that:

"Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the man ner in which entities collect and use personal information-their "information practices"-and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices."

Since its publication, this report has helped to shape the current "privacy-enforcement" role of the FTC. In this chapter, we focus on the five core principles of privacy protection that the FTC determined were "widely accepted," namely: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress.

Notice/Awareness

Notice is a concept that should be familiar to network professionals. Many systems, including many Web sites, put users on notice with respect to ownership, security, and terms of use. Such notice might be a banner that appears during network log-on, warning that access to the network is restricted to authorized users. It might be a splash page for a Web site informing visitors that clicking to enter constitutes agreement to the terms of use. In the context of Web site privacy, notice means you must advise visitors to your site of your policies with respect to the personal data you process. As the FTC puts it:

"Consumers should be given notice of an entity's information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles (choice/consent, access/participation, and en-forcement/redress) are only meaningful when a consumer has notice of an entity's policies, and his or her rights with respect thereto."

In practical terms, the primary means of providing privacy notice to Web site visitors is the privacy statement. For simple sites that set no cookies or receive no user input, such a statement is easy to draft. The more complex and interactive the site, the more work it will take to craft a statement that covers all the bases. Here are the main points that need to be covered:

  • Identification of the entity collecting the data.
  • Identification of the intended use of the data.
  • Identification of any potential recipients of the data.
  • The nature of the data collected and the means by which it is collected, if not obvious (for example, passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information).
  • Whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information.
  • The steps taken by the data collector to ensure the confidentiality, integrity, and quality of the data.

Of course, it might not be your job to pull together this information and come up with a privacy statement - in recent years, many large organizations have been appointing chief privacy officers to oversee the creation of privacy policies for the organization and its Web sites. Nevertheless, if you are responsible for the Web site, you may be asked to do some of the work, notably documenting logging activity and the use of cookies. The following sections briefly discuss these issues.

Logging Activity: You need to let visitors to your site know if you use automated tools to log information about their visits (information such as the type of browser and operating system they used to access your site, the date and time they accessed the site, the pages they viewed and the paths that they took through the site).

Use of Web Bugs and Beacons: Use of these techniques should be disclosed, along with a clear statement of how and why they are used, and what information they track.

Use of Cookies: Use of cookies should be disclosed and a distinction should be made between session cookies, which expire when the user closes the Web browser, and persistent cookies, which are downloaded to the user's machine for future use on the site.

Choice/Consent

Like Notice/Awareness, this second principle should be addressed with honesty and sensitivity. Choice means giving consumers options as to how any personal information collected from them may be used. This relates to secondary uses of information, which the FTC describes as "uses beyond those necessary to complete the contemplated transaction." The FTC notes that "such secondary uses can be internal, such as placing the consumer on the collecting company's mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties."

Whether or not you are involved in deciding what use is made of personal information that comes from your Web site, you need to know whether you are going to give users of the site any choice in the matter, even if it is something as simple as a check box that says "You may e-mail me about special offers on related products." As you might expect, privacy advocates prefer the opt-in form of consent, in which people specifically request to be included on a mailing list, rather than opt-out, which adds people to the list by default, until such time as they request to be removed.

Access/Participation

The point of access and participation is to let people about whom you have information find out what that information is, and contest its accuracy and completeness if they believe it is wrong. Many online systems currently lack the means to implement such processes securely. However, access is considered an essential element of fair information practices and privacy protection. In the context of business Web sites, the main obstacle to providing access and participation is a lack of cheap and secure methods of reliably identifying, that is, authenticating, the data subjects.

Compliance with U.S. laws that mandate access, such as the Fair Credit Reporting Act, is accomplished right now through more traditional channels of communication, such as letters and faxes. Both require human participation and review. Unless you have a high level of assurance that you are giving online access to the appropriate person - such as multiple factor authentication - there is a serious risk that providing access in support of privacy will actually lead to privacy breaches (for example, through unauthorized disclosure to someone posing as the data subject).

Watch Out: More and more companies are finding that the cost of communicating with customers via the Web and e-mail is much lower than communicating via voice or paper. Consequently, management will want to explore, sooner or later, data subject access to company PII databases through the Web site and/or e-mail. Unfortunately, until the security of the underlying technology improves, this strategy is fraught with risks, such as unauthorized disclosure through spoofing, pretexting or the interception of unencrypted e-mail. Do not attempt unless management is fully aware of the risks and prepared to fund appropriate levels of additional security.

Integrity/Security

The fourth widely accepted principle is that data be accurate and secure. To assure data integrity, data collectors, like Web sites, must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data and destroying untimely data or converting it to anonymous form. Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use or disclosure of the data. Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include the following:

  • Limiting access through access control lists (ACLs), network passwords, database security and other methods
  • Storing data on secure servers that cannot be accessed via the Internet or modem
  • Encryption of data during transmission and storage (Secure Sockets Layer, or SSL, is considered acceptable when submitting information via a Web site - but note that, unless the client system has a digital certificate or other authentication upon which the server can rely, SSL may not be acceptable for disclosure from server to client).

Enforcement/Redress

The FTC has observed that "the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them." What that mechanism is for your Web site will depend on several factors. Your Web site may have to comply with specific privacy laws. Your organization may subscribe to an industry code of practice or privacy seal program, both of which may include dispute resolution mechanisms and consequences for failure to comply with program requirements. A private action against your organization is also a possibility if the organization is found to be responsible for a breach of privacy that caused harm to an individual. Class-action lawsuits have also been brought, alleging privacy invasion.

Reprinted from Privacy For Business: Web Sites and Email, published by Dreva Hill LLC, all rights reserved. For ordering information visit drevahill.com/cw or call 1-800-247-6553.

Special Report

Compliance Headaches

Stories in this report:

Related:

Copyright © 2004 IDG Communications, Inc.

  
Shop Tech Products at Amazon